Why quiet quitting is a cybersecurity risk

 The Mandarin first published this essay.

Quiet quitting has gone from whispers in the corridors of our workplaces to the central narrative for understanding today’s workplace behaviour.

The advocates, arguing for and against whether quiet quitting is a ‘thing’ or not, are loud, forthright, and unequivocal. As the conversation evolves, new catchphrases like ‘quiet hiring’, ‘rage applying’ and ‘loud firing’ have emerged to capture the imagination of employees and managers alike.

However, in the quiet eddies of the conversation, older and more meaningful words and phrases are also being used to describe our work experience—words like burnout, psychological contract and workplace cynicism.

These words sit atop a wealth of research that describes the employee experience of work and the consequences of the behaviours in terms of measures like job performance, organisational commitment and intention to leave.

The connection that could be stronger is the relationship between these behaviours and the heightened risk to cybersecurity.

People are a persistent risk to cybersecurity

Recent estimates suggest that 82% of cybersecurity breaches involve the ‘human element’.

This finding is not new. It has been remarkably persistent over several years. Stolen credentials, phishing, misuse, errors and workplace workarounds continue to identify human behaviour as the hard problem of cybersecurity.

Guidance on how we should respond typically involves more training and better communication.

However, it is time to acknowledge human behaviour as an inherent driver and persistent risk to make a difference. There is a need for a more sophisticated understanding of human behaviour and cybersecurity risk that provides more meaningful pathways to reducing that risk.

Cynicism, burnout, change and the psychological contract

In the murky depths of a simple phrase like ‘quiet quitting’ are sharper-edged workplace feelings like cynicism, distrust and disengagement. These can be rolled into perceived psychological contract breaches between employees and managers.

Breaches of that implicit and dynamic contract are reduced commitment and cynical attitudes to the organisation. For cybersecurity, the tangible effect is reduced vigilance, heightened passive insider-threat risks, and consciously working around policies and procedures.

The research shows that disaffected people are also less likely to report cybersecurity breaches and incidents. Cynicism triggered by change fatigue, poor work systems or poor leadership can lead to moral disengagement, undermining the connection between the person, their role, their work and the organisation. People feeling like this are more likely to be passive or active threats to cybersecurity.

How people experience work, such as continuously working under time pressure, managing continuity while constantly changing, and the leadership climate, all contribute to heightened cybersecurity risk.

Positive cybersecurity culture is built on a thousand small interactions, decisions and actions taken daily by individuals continually calibrating their contribution to and relationship with the workplace.

The era of quiet recalibration

Quiet quitting also has another dimension where the implications for cybersecurity are less clear. The COVID-19 pandemic has profoundly changed how people think about work and how they do it.

The idea that personal success comes from long working hours of dedicated commitment to an employer at the expense of family, happiness and mental health is no longer sacrosanct. Instead, it is more likely that people across all ages and levels of the workplace are making a more sophisticated calculation about their contribution to work as they seek to maximise the benefits and reduce the harms of working.

In terms of the psychological contract, this is a rebalancing of the relationship between what is required of the job and the discretionary contribution that might be given or asked for that goes above and beyond the job requirements.

Where do people put cybersecurity in this rebalancing?

Of course, there is likely to be a minimum obligation to apply policies and procedures. Still, there is a lot in mitigating cybersecurity risk that is dependent on the diligence, commitment and engagement of people that goes beyond simply implementing policy.

As cost-cutting, reduced staffing levels, implementing new technologies, changing work patterns, and increased time pressure ask more of employees, the risk of ‘job creep’ increases.

So, how will people quietly recalibrate their cybersecurity obligations, and how will that reshape the risk?

Five needs

Beyond more training, better communication and exemplary leadership, how can the risk of human behaviour to cybersecurity be reduced?

• First, there is a need to get past the prevailing view that people are the problem and move toward people as the solution to reducing risk. This requires a more refined understanding of human behaviour in the workplace that includes the impact of organisational contexts as the underlying driver of risk.

• Second, there is a need to better equip leaders with the tools they need to assess and actively manage the human behaviour risk to cybersecurity. Today, in the main, leaders and managers are engaged as part of the workforce rather than as critical influencers of positive security behaviours.

• Third, there is a need to be more alert to the employee experience of work and the potential implications for cybersecurity. The responsibility for cybersecurity does not rest solely with security or cybersecurity specialists. An enterprise response involving security, human resources, information technology, communications and finance must work more closely to implement comprehensive approaches to identifying and reducing risk.

• Fourth, there is a need to re-think cybersecurity training to ensure that it contributes directly to building a positive security culture and engages employees in positive cybersecurity behaviours in the context of the way work is done.

• Fifth, there is a need for security and cybersecurity professionals to engage with the hard problem of human behaviour actively.